The Data Security and Protection Toolkit is not that difficult to complete but it does require some preparation in advance.
Below we go through the various steps you need to complete and the policies and procedures you need to have in place, along with links to the FREE advice and resources that the West Midlands Care Association can offer you
On this page we will cover (click to jump straight to section):
Before you begin the Toolkit you must register to access it.
To do this go to:
You will need:
Your email address
A valid registration (ODS) Code
An ODS Code is just a unique code that the NHS issues to all care providers.
You more than likely already have one but are not aware of it. You can look up your code by clicking the button below
If you can't find your ODS code or you know that you don't have one, contact the NHS's Exeter Helpdesk exeter.helpdesk@nhs.net ; 0300 303 4034 who will be able to help you.
Registering to use the Toolkit is very straightforward but you can see step by step instructions
by clicking the button below
Once you have registered to use the Toolkit, you will need to answer some profile questions such as what type of business are you (Social Care) and to state who your data protection officers are. The Senior Information Risk Officer (SIRO), the Information Governance (IG) Lead, The Caldicott Guadian and the Data Protection Officer.
You can leave the data officer questions blank as you will be asked within the toolkit who is responsible for data protection
You will also be asked if you have Cyber Essentials certification (this is not mandatory) and whether or not you already use NHS Mail.
There has been a lot of confusion as to whether Adult Social Care providers are legally required to appoint a Caldicott Guardian.
The UK Caldicott Guardian Council issued advice stating that Social Care organisations with public funding need to 'have regard' for the National Data Guardian guidance. It was however worded in such a way as to imply this was mandatory - it is not.
It is ultimately up to you whether an appointment would be possible and useful. We recommend that if your organisation is of sufficient size that you are legally required to have a Data Proetction Officer then you should seriously consider appointing a Caldicott Guardian.
Further information can be found at the
UK Caldicott Guardianship Council website
We've produced a short video about what information you need which you can see below
The toolkit is an assessment of your data protection policies and procedures.
Further down this page we've listed the basic items that you will need in place to successfully complete the toolkit. These have been divided into the four sections comprise the toolkit:
Each section contains links to more information and examples of relevent policies and procedures
We also run a weekly webinar on Data Protection in general which we recommend attending before you start your toolkit submission
Before you start, download checklists to help you compile all the necessary policies and documents you need
If you wanted to see a list of the questions within the toolkit you can click on the link
We recommend attending our 1 hour Data Protection in General webinar before you start or watch the recording below
This webinar is aimed at Care Providers with no previous experience of the DSPT
We will give you an overview of the policies and procedures that you will need to successfully complete it.
If you want to attend this webinar in person, please visit our
webinars page
for available dates
The Toolkit is a list of 42 questions. Some are marked mandatory. The questions marked Mandatory are the minimum you need to complete to publish at Approaching Standards (26 questions). You need to complete all 42 questions to publish at Standards Met
You cannot publish at Approaching Standards unless you upload an action plan on how you plan to address the issues stopping you from publishing at Standards Met, for this reason (and it's not that much more work) we recommend you continue to Standards Met.
To complete to Standards Met you will need to complete a further 16 questions
Toolkit Question Types
The toolkit will ask you three types of questions (click on the link to see an example):
1 A tick box to confirm your answer (essentially yes or no).
3
Upload a document, reference a document or weblink or enter text
. You should always use the 'enter text' option, you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home on on a website).
All questions include an optional comments box - we recommend that you don't make any comments unless you need to answer 'not applicable'
Standards Exceeded is a level above Standards Met.
You cannot achieve Standards Exceeded just by completing all the toolkit questions.
Standards Exceeded can only be achieved if your data policies and procedures have been externally validated by Cyber Essentials Plus
This first section will ask you who is responsible within your organisation, how you conduct data training and that your contracts of employment cover data protection
This sections contains 7 questions
We have also included a short video which takes you through each question in depth
you will need:
A Training needs analysis of data protection/security needs
A training needs analysis is a process which helps identify the data security and protection, and cyber security, training and development needs across your organisation.
We've produced a short video about what information you need which you can see below
This next section concentrates on the various policies and proscudes you need to successfully complete the toolkit
This sections contains 12 questions
We have also included a short video which takes you through each question in depth
You will need
ICO Registration Number
All companies that handle data in any form must be registered with the ICO (Information Commisioners Office) It is an offence if you hold or process data and are not registered.
If you need more information or check whether you are registered, click the button below
Data Privacy Policy
Your data privacy policy is an overarching document which sets out how you collect personal data.
Staff Data Policy
Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access.
Data Register
This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents.
Click the button below for an example plus information on document and information retention
Whether you comply with the National Data Opt Out
The National Data Opt doesn't normally effect care providers but you must be aware of it and how you inform your clients of your obligations
Document Retention Guidance
We often get questions about how long you should keep different types of data. Although not a question on the toolkit, you may find the following guidance useful.
We've produced a short video about what information you need which you can see below
if you feel you need additional help you can book one of our free webinar sessions where we offer more intensive help and can answer your questions. Details can be found by clicking the button below
We can also offer one to one support sessions (vurtually)
These are available throughout normal office hours and can be booked by clicking the button below
If you need help you can contact the Care Associations dedicated digital helpline during normal office hours on 01384 943000 (opt 1) or send us a message
This next section concentrates on the procedures and systems you have in place to secure your networks and data
This sections contains 8 questions
There are no specific documents required to complete this section but we have included an option example template
We have also included a short video which takes you through each question in depth
We've produced a short video about what information you need which you can see below
This final section concentrates on the infrastructure you have in place and how it is secured
This sections contains 15 questions
We have also included a short video which takes you through each question in depth
You will need
Staff Bring Your Own Device Policy (BYOD)
If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices
A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)
This document should indicate that your board or management team have formally considered the risks of continuing to use unsupported items and have concluded that the risks are acceptable.
We've produced a short video about what information you need which you can see below
Once you have done this successfully you can publish your toolkit to Standards Met level.
Once published, the Toolkit results are valid for 12 months. You will be sent a reminder email to remind you to confirm your Toolkit status.
If you receive error messages when you try to publish then it is likely you have not completed all the questions
If you are a Head Office, you can publish your assessment to include all your satellite sites. The toolkit will prompt you to include the satellite sites it has on record.
If your satellite sites are not listed then you will either have to submit a separate publication for each site or contact the
ODS helpdesk to see if they can link the sites for you
We've produced a short video about what information you need which you can see below
Hopefully you've found the information on this page useful. If you feel you need further assistance by all means get in touch or book one of our regular webinar sessions
if you feel you need additional help you can book one of our free webinar sessions where we offer more intensive help and can answer your questions. Details can be found by clicking the button below
We can also offer one to one support sessions (virtually)
These are available throughout normal office hours and can be booked by clicking the button below
If you need help you can contact the Care Associations dedicated digital helpline during normal office hours on 01384 943000 (opt 1) or send us a message
For further information about Digital policies and directives effecting Care Providers please check out the Digital Care Hub
As well as completing the DSPT, there are other things you can do to support your cyber security
Cyber Essentials is a government backed cyber security standard which is available to all UK businesses. Having Cyber Essentials certifcation shows that you have met certain standards for data protection and security.
There are two parts to the standard:
Cyber Essentials. This is an online assessment of your data security and protection policies (not dissimilar to the DSPT). Your answers are checked and verified by a Cyber Essentials assessor.
Cyber Essentials Plus. This extends the online assessment and your equipment is tested by the assessor for resilience against cyber attack and that you are adhering to your policies.
Cyber Essentials is not a replacement for the DSPT but the two are complementary. Cyber Essentials Plus certification is a requirment for achieving DSPT Standards Exceeded
Price
Unlike the DSPT there is a cost involved to achieve certification and this differs depending on the company you choose to carry out the assessment. Expect to pay anything from £300-500 for Cyber Essentials and £1000-£2000 for Cyber Essentials Plus. Certification lasts 12 months and needs to be annually renewed
More details can be found here
The National Cyber Resilience Centre Group (NCRCG) is a strategic collaboration between the police, government, private sector and academia to help strengthen cyber resilience across the nation’s small and medium-sized enterprise (SME) community, in support of the government’s National Cyber Strategy.
NCRCG is a not-for-profit organisation, funded and supported by the Home Office, policing and private sector partners.
Support is often free of charge and can be accessed through a network of regional centres
More information can be found here
This support programme is part of the Better Security, Better Care programme, funded by NHSX to support data and cyber security across the adult social care provider sector
Our Partners:
West Midlands Care Association, Globe House, Park Lane, Halesowen, B63 2RA
Registered in England and Wales No 04972911
© 2022 West Midlands Care Association, all rights reserved
